Secure by design | VoIP encryption

VoiceHost SIP encryption using TLS and SRTP

VoiceHost is launching VoIP encryption support over our network after a successful beta, so here is a timely synopsis on the topic.

Linked very much to our previous post on security vs usability, does a provider use a proprietary protocol? This would render all 3rd party end-points unable to utilise the service; or simply choose a widely adopted one?

IP Encryption has been around for years and there are many protocols and ciphers (math algorithms) used in everything from satellite TV broadcasting, door entry systems, banking systems, mobile networks and VoIP network providers like VoiceHost.

How does it work with VoIP?

VoIP and SIP communication is split into two parts, signalling and media.

  • Signalling – The use of SIP commands or instructions on how the communication will work.
  • Media – The packetisation of the audio as agreed in the signalling (codec usage) – The payload.

Either or both of the above can be encrypted and the most widely used adopted protocols and ciphers are as below:

  • Signalling – TLS (Transport Layer Security) which allows the use of ciphers such as ‘RSA’ and ‘SRP’ to encrypt all the details about who/when/what and where you’re calling.
  • Media – SRTP (Secure Real-Time Protocol) allows the use of ciphers such as ‘AES to encrypt the audio and hide what you’re actually saying.
How secure am I?

There is no easy answer but some straightforward examples may help give you an idea.
Encryption can help protect you from eavesdropping on our network but anyone off-network would be a security liability. If both the caller and the far-end were on the VoiceHost network, the call would be much more secure. Where practicable, using a VoiceHost data product would eliminate traversing a public network; making it the most robust and secure option.

You should also consider other potential vulnerabilities such as wireless. Wireless by definition is a broadcast into the ether, unlike a physical connection which would require intrusive tampering. This makes it vulnerable. There are also a multitude of wireless protocols which vary from WEP (insecure) to WPA2 (secure) to consider. MAC whitelisting and VoIP VLANs are a good way of protecting Voice but don’t be limited to just routing. DECT handsets are generally insecure and have a moderate range even beyond WiFi.

Given that AES-256 has 2-to-the-power-of 256 possible combinations it would take decades to decode using the most powerful computers all working together, so a 3 hour conversation would be very secure from any brute-force attempts. Each key is thrown away after usage too.

How important is it?

This can only be answered by you! How private are the calls you are making? How sensitive is your discussion? If you’re an outbound calling only marketing company, it wouldn’t rank too highly for you but if you’re discussing anything that may cause harm outside of the conversation; then it would mean peace of mind. Personal and financial information is an obvious consideration.

Fraud is a the single biggest threat to internet based communications and based on current and historical data the vast majority (80%+) of VoIP fraud is conducted by scanning SIP ports and sniffing visible traffic. Obfuscating traffic through encryption is the simplist defence with the most powerful results.

VoiceHost support complete end-to-end encryption using Snom, Cisco, Yealink and various 3rd party softphone vendors and PBXs for both TLS and SRTP.

Get in touch

VoiceHost Limited
Norfolk Tower
Surrey Street
Norwich
NR1 3PA

0345 561 0 561 | 0800 2 545454

support@voicehost.co.uk

Connect With Us

Download the iOS App from the Apple App Store

Get the Android app from the Google Play store